Legitimate Interests

The ‘legitimate interests’ lawful basis is probably the one upon which most organisations currently rely. The term ‘legitimate interests’ means that your organisation is free to hold or process data in a way that the individual could reasonably expect, and which apply to the relationship between the controller and the subject.

For example, if a new person enquires about an Alpha course at your church, they could reasonably expect you to use the information they have provided in order to send them further details about the course. This is the ‘common sense’ approach to data processing, and one which will stand many churches in good stead for some of their operations.

However, there are some provisos. The first is that you may only process the data in a way that the individual might reasonably expect. So, if someone at the church then used that person’s email address to approach them about, for example, a business that they run, this would not be covered by legitimate interests.

The second proviso is that legitimate interest only applies when there is a minimal risk of any impact on the individual’s privacy. So, if you don’t have appropriate security measures around your email address book, you could find yourself in breach.

There is also data sensitivity to consider. Information relating to religion and faith is what is known as ‘special category data’ and must be handled very carefully. As a church, this will apply to almost everything you hold and process. You can read more about special category data.